How to reject a certificate with access_denied?

Christian Schmidt schmidt at digadd.de
Wed Jun 8 11:54:11 UTC 2022 

On 07/06/2022 15:02, Matt Caswell wrote:
> 
> 
> On 07/06/2022 13:46, Michael Richardson wrote:
>> Matt Caswell <matt at openssl.org> wrote:
>>      > On 06/06/2022 18:08, Christian Schmidt wrote:
>>      >> Hi,
>>      >> I am building a server application that allows a user to log
>> in by
>>      >> providing a certificate. In order to do custom checks, I have
>> added a
>>      >> verify callback to my code to check the certificate on top of its
>>      >> cryptographic features (CA Valid, etc).
>>      >> If the certificate does not pass my extended checks, I would
>> like to
>>      >> return the access_denied alert as per RFC8446 section 6.2:
>>      >> access_denied:  A valid certificate or PSK was received, but when
>>      >> access control was applied, the sender decided not to proceed
>> with
>>      >> negotiation.
>>      >> However, I can't find a way to generate this alert in openssl,
>> although
>>      >> openssl can handle receiving it.
>>      >> How do I make a callback return a non-defined (as in not
>> defined in the
>>      >> headers) alert?
>>
>>      > This is not currently possible.
>>
>>      > OpenSSL has an internal table which maps verify errors to TLS
>> alerts:
>>
>>      >
>> https://github.com/openssl/openssl/blob/9f3626f2473bdce53e85eba96e502e950e29e16f/ssl/statem/statem_lib.c#L1350-L1394
>>
>>
>>      > Unfortunately there are no entries in this table that map to the
>>      > access_denied alert.
>>
>> Would extensions to this list be welcome?
>> Should Christian send a PR?
> 
> I would be happy to review such a PR - although it would only be applied
> to master and not 3.0 or 1.1.1. Any PR could only be in the form of
> additions to the table (not modifications to existing entries), so as
> not to break existing behaviour.

By PR, do you mean Problem Report or Pull Request?

Because after reading up on it, it seems that a Pull Request would
require a CLA, and I am not willing to sign any contract under US law (I
have no idea of implications, and a lawyer to explain these is not
reasonably affordable for roughly two LOC). The things I know it for are
unreasonable laws (I suppose an Access Denied alert might be
patentable/copyrightable under US law, while it wouldn't under EU law),
ridiculously off compensations (which seems a risk to me - I do no know
if someone holds a patent/copyright on the alert from the RFC, and do
not know how to check), and violating Europeans' constitutional laws
(see the discussion around safe harbor agreements / GDPR).

Best regards,
Christian

More information about the openssl-users mailing list